Trojan-Downloader.Win32.Agent.fpp

Technical Details

This Trojan downloads another program via the Internet and launches it on the victim machine without the user’s knowledge or consent. It is a Windows PE EXE file. It is 38400 bytes in size. It is written in C++.

Installation

Once launched, the Trojan copies its body to the Windows system directory as "Ir32_a.exe":

It then deletes its original file.

In order to ensure that the Trojan is launched automatically each time the system is restarted, the Trojan registers its executable file in the system registry:

Payload

The Trojan sends a request to the remote malicious user's site:

It receives in reply a file containing links from which other objects will be downloaded. The file will be saved to the C: root directory: as "tmp.dat":

Files which are downloaded from the links contained in the file are saved to the Temporary Internet Files directory under their original names. Once they have been downloaded they are launched for execution.

At the moment of writing, the link was not active.

Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

1. Delete the copy of the Trojan:
   %System%\Ir32_a.exe
2. Delete the contents of %Temporary Internet Files%.
3. Revert the following system registrykey:
   [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   "Userinit" = "C:\WINDOWS\system32\userinit.exe,Ir32_a.exe"

   to

   [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   "Userinit" = "C:\WINDOWS\system32\userinit.exe"
4. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).